Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Analyzing Malware with REMnux

hiddenillusion
June 11, 2012
Technology
2
1.2k

Analyzing Malware with REMnux

"This talk will outline how one can more efficiently and effectively perform their malware analysis by focusing on resources such as REMnux. While the topic’s scope can be quite large, the focus will be mainly on analyzing Portable Executable (PE) files. We’ll see how to identify what the file in question is to ascertain that it is a PE file and then dive into how one can perform file analysis in an automated fashion as well use some manual methods. With the automated methods, we will look at some simple scripting that the analyst can do and touch on what’s currently included in the tools so the analyst can fully understand what the tools do and how they can be altered to fit their needs."
http://www.nyc4sec.info/events/54791592/?eventId=54791592

hiddenillusion

June 11, 2012
Tweet

More Decks by hiddenillusion

See All by hiddenillusion
Mo' Memory No' Problem
hiddenillusion
2
19k
What's going on out there?
hiddenillusion
2
400
Forensic Analysis of Windows Restore Points
hiddenillusion
1
93

Other Decks in Technology

See All in Technology
新R25、乃木坂46 Mobileなどのファンビジネスを支えるマルチテナンシーなプラットフォームの全体像 / cam-multi-cloud
cyberagentdevelopers
PRO
1
130
Apple/Google/Amazonの決済システムの違いを踏まえた定期購読課金システムの構築 / abema-billing-system
cyberagentdevelopers
PRO
1
220
Product Engineer Night #6プロダクトエンジニアを育む仕組み・施策
hacomono
PRO
1
480
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110
コンテンツを支える 若手ゲームクリエイターの アートディレクションの事例紹介 / cagamefi-game
cyberagentdevelopers
PRO
1
130
とあるユーザー企業におけるリスクベースで考えるセキュリティ業務のお話し
4su_para
3
330
分布で見る効果検証入門 / ai-distributional-effect
cyberagentdevelopers
PRO
4
700
コンテナのトラブルシューティング目線から AWS SAW についてしゃべってみる
kazzpapa3
1
110
Amazon_CloudWatch_ログ異常検出_導入ガイド
tsujiba
4
1.6k
visionOSでの空間表現実装とImmersive Video表示について / ai-immersive-visionos
cyberagentdevelopers
PRO
1
110
AIを駆使したゲーム開発戦略: 新設AI組織の取り組み / sge-ai-strategy
cyberagentdevelopers
PRO
1
130
小規模に始めるデータメッシュとデータガバナンスの実践
kimujun
3
600

Featured

See All Featured
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Bash Introduction
62gerente
608
210k
Building an army of robots
kneath
302
42k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
For a Future-Friendly Web
brad_frost
175
9.4k
A Modern Web Designer's Workflow
chriscoyier
692
190k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Designing Experiences People Love
moore
138
23k

Transcript

  1. Analyzing Malware with REMnux Glenn P. Edwards Jr. Senior Consultant

    Incident Response & Digital Forensic Practice Foundstone Professional Services

  2. www.foundstone.com Copyright © 2012, McAfee, Inc. # whoami Glenn P.

    Edwards Jr. ▪ Have some fancy letters after my name  M.S. in Digital Forensics, University of Central Florida  B.S. in Information Security & Privacy, High Point University  GREM, GCIH, GCFA (yada yada…) ▪ started to come out of the shadows…  @hiddenillusion  hiddenillusion.blogspot.com  blog.opensecurityresearch.com … you get the point # id uid=0(Senior Consultant) gid=0(Foundstone) groups=0(IR Practice)

  3. www.foundstone.com Copyright © 2012, McAfee, Inc. PE file $ xxd

    file | head

  4. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux ▪ Around since

    2010 ▪ VM based or ISO ▪ Current v3 is based on Ubuntu 11.10 ▪ Full of goodies   ~remnux/.bash_aliases  /usr/local/bin/  /usr/bin/ http://zeltser.com/remnux/ http://zeltser.com/remnux/remnux-malware-analysis-tips.html $ man REMnux

  5. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux wireshark honeyd fakedns

    fakemail iietsim netcat NetworkMiner tcpdump trid file 7z clamscan pescanner pyew upx packerid volatility strings hachoir- metadata hachoir-subfile jd-gui js-beautify pdnstool swf_mastah flashbug pdfextract $ sudo find / -group goodies –exec basename {} \; pdfid pdf-parser pdfxray_lite peepdfvbindiff ssdeep md5deep hashdeep sha1sum bytehist pyew radare icat ils sorter swfdump swfextract srch_strings yara rhino burpsuite Xorsearch origami

  6. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux ► File Identification

    ▪ file ▪ TRiD ▪ 7zip ▪ hachoir-metadata

  7. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux ► File Analysis

    ▪ strings ▪ srch_strings ▪ hachoir-subfile ▪ pyew ▪ pescanner

  8. www.foundstone.com Copyright © 2012, McAfee, Inc. YARA $ cat /usr/local/etc/capabilities.yara

    | grep oohyeah

  9. www.foundstone.com Copyright © 2012, McAfee, Inc. REMnux ▪ INetSIM 

    /etc/inetsim/inetsim.conf – #service_bind_address 10.10.10.1 – #dns_default_ip 10.10.10.1  Sample of services … – HTTP / HTTPS – SMTP / SMTPS – POP3 / POP3S – DNS – FTP / FTPS – TFTP – IRC – NTP – Ident – Finger – Syslog $ man INetSIM

  10. www.foundstone.com Copyright © 2012, McAfee, Inc. Questions? ?